[gull-annonces] Résumé SecurityFocus Newsletter #225

[Marc SCHAEFER]

OpenBSD semctl/semop Local Unexpected Array Indexing Vulnera...
BugTraq ID: 9086
Remote: No
Date Published: Nov 21 2003
Relevant URL: http://www.securityfocus.com/bid/9086
Summary:
The semop system call is used to carry out an array of operations on a
specified set of semaphores. The semctl system call allows for a number of
control operations to be carried out on a specified semaphore.

A vulnerability has been discovered in an operation carried out by both
system calls, specifically when handling the 'semid' parameter. The
problem occurs within the sysv_sem.c source file when carrying out sanity
checks on the aforementioned parameter.

The first operation carried out by both system calls after deriving the
appropriate semid value, is to ensure that the value is not negative and
is not larger then a specific variable. However, the code incorrectly
compares the size of semid to seminfo.semmsl, rather than the correct
seminfo.semmni variable. This could potentially allow for semid to be
larger then expected.

A pointer to a specific semaphore set structure is subsequently obtained
by indexing into an array of semaphore ids,  via the semid value. Because
the value may be larger then expected, the pointer will be obtained from
an unintended location in memory and could potentially contain an invalid
memory address.

Subsequent to the pointer being calculated, the value is dereference in an
attempt to query structure parameter values. Due to the aforementioned
conditions, it is likely that this will result in an attempt to
dereference an unpaged location in memory, effectively triggering a
segmentation violation and causing the kernel to panic.

Despite the number of restrictive conditions that would need to be met, it
has been speculated that a sufficiently skilled attacker could
theoretically exploit this condition to elevate local privileges. This
information has not yet been confirmed.

It should be noted that an attacker's ability to elevate privileges on an
OpenBSD 3.4 system may be hampered by the memory protection schemes
recently implemented into the operating system. However, despite these
changes a sufficiently skilled attacker may still be capable of bypassing
the protections.

GEdit Large IOStream File Memory Corruption Vulnerability
BugTraq ID: 9090
Remote: No
Date Published: Nov 23 2003
Relevant URL: http://www.securityfocus.com/bid/9090
Summary:
gEdit is a freely available, open source text processing application.  It
is available for the Unix and Linux platforms.

A problem has been reported in the handling of certain file types by
gEdit.  Because of this, it may be possible to cause memory corruption.

The problem is in the handling of files with long strings.  When a file
with long strings and no terminators is opened with gEdit, a memory
corruption error occurs.  This problem is likely a buffer overflow, though
this has not been confirmed.

In the event that this is an exploitable overflow, it could be possible to
execute arbitrary code by embedding arbitrary instructions in a
maliciously crafted file.  Any instructions executed through gEdit would
be with the privileges of the gEdit user.

Thomson Cable Modem Remote Denial Of Service Vulnerability
BugTraq ID: 9091
Remote: Yes
Date Published: Nov 24 2003
Relevant URL: http://www.securityfocus.com/bid/9091
Summary:
The TCM product line are cable modems distributed by Thomson.

A problem has been identified in Thomson Cable Modems when handling long
requests on the HTTP port.  Because of this, it may be possible for an
attacker to deny service to legitimate users of the device.

The problem is in the handling of strings of excessive length in HTTP
requests.  When a request containing 100 or more bytes of data is made to
the HTTP server on the modem, the modem becomes unstable and crashes.
This could be repeated to perform a prolonged denial of service.

The problem is likely related to a boundary condition error in the device
firmware.  If this is the case, the possibility exists for code execution
on the device under the right circumstances.

It is not currently known if this device permits access to the web server
on the WAN interface.  However, it is an unlikely design, and exposure is
likely limited to the LAN interface.

[ hardware: Speed Touch ]

Linux IPRoute Spoofed Kernel Messages Denial Of Service Vuln...
BugTraq ID: 9092
Remote: No
Date Published: Nov 24 2003
Relevant URL: http://www.securityfocus.com/bid/9092
Summary:
iproute is a freely available, open source network suite for the Linux
platform.

A problem has been discovered in iproute when handling messages from the
kernel.  Because of this, it may be possible for an attacker to deny
service to legitimate users of a system.

The problem is in the checking of the origins of messages from the kernel.
By creating specially crafted messages, it is possible to send spoofed
messages on the kernel netlink interface that will fool iproute into
reacting unpredictably.  This could lead to loss of proper routing tables,
or other types of routing attacks.

Pan Long Author Address Denial Of Service Vulnerability
BugTraq ID: 9093
Remote: Yes
Date Published: Nov 24 2003
Relevant URL: http://www.securityfocus.com/bid/9093
Summary:
Pan is a freely available, open source news reading utility.  It is
available for the Unix and Linux platforms.

A problem has been reported in the handling of addresses in Pan.  Because
of this, it is possible for a remote attacker to deny service to
legitimate users of an application.

The problem is in the handling of news posts containing long author e-mail
addresses.  When the program encounters such an article, it becomes
unstable and crashes.  The program will continue to crash each time an
attempt to read the malicious article is made.

SIRCD Server Operator Privilege Escalation Vulnerability
BugTraq ID: 9097
Remote: Yes
Date Published: Nov 20 2003
Relevant URL: http://www.securityfocus.com/bid/9097
Summary:
sircd is an IRC server daemon, for Linux and Unix platforms.

sircd has been reported prone to a privilege escalation vulnerability. The
issue has been reported to exist in s_client.c. It has been reported that
any user logged on to the sircd server, may set their usermode to +o, or
operator mode.

An attacker may exploit this condition to hijack IRC channels or
impersonate users, these privileges may aid the attacker in further
attacks launched against the target server.

It should be noted that although sircd versions 0.5.2 and 0.5.3 have been
reported vulnerable other versions might also be affected.

Monit HTTP Content-Length Parameter Denial of Service Vulner...
BugTraq ID: 9098
Remote: Yes
Date Published: Nov 24 2003
Relevant URL: http://www.securityfocus.com/bid/9098
Summary:
Monit is a utility for the Linux and Unix operating systems that is
designed to monitor processes, devices, files, and directories. The
application makes use of an HTTPS interface to allow remote users to
monitor system statistics.

A vulnerability has been discovered in Monit 4.1 and earlier that could
potentially allow an anonymous attacker to crash the daemon process. The
problem occurs due to Monit failing to sanitize a specific HTTP parameter
before passing its values to a memory allocation function.

Specifically, Monit does not verify the sanity of the Content-Length HTTP
parameter before passing it as an argument to the xmalloc() function. As a
result, passing a negative value as the Content-Length will cause the
value to be cast as unsigned by the aforementioned function, causing the
value to be interpreted as an excessively large value. This will likely
cause the xmalloc() function to unexpectedly fail, resulting in the daemon
crashing.

Although unconfirmed, the crash may in fact occur due to the program
failing to handle NULL values returned from xmalloc(), possibly resulting
in a NULL pointer dereference.

Monit Overly Long HTTP Request Buffer Overrun Vulnerability
BugTraq ID: 9099
Remote: Yes
Date Published: Nov 24 2003
Relevant URL: http://www.securityfocus.com/bid/9099
Summary:
Monit is a utility for the Linux and Unix operating systems that is
designed to monitor processes, devices, files, and directories. The
application makes use of an HTTPS interface to allow remote users to
monitor system statistics.

A buffer overrun vulnerability has been discovered in Monit 4.1 and
earlier that could potentially allow a remote attacker to execute
arbitrary code with root privileges. The problem occurs due to Monit
failing to carry out sufficient bounds checking when handling HTTP request
data.

An attacker could potentially exploit this condition to overwrite
sensitive process memory variables, allowing for the execution flow of
Monit to be controlled. Successful exploitation of this vulnerability
could lead to an attacker gaining remote root access to an affected
system.

Thomson SpeedTouch DSL Router Port Scan Denial Of Service Vu...
BugTraq ID: 9102
Remote: Yes
Date Published: Nov 25 2003
Relevant URL: http://www.securityfocus.com/bid/9102
Summary:
SpeedTouch is a line of DSL routers distributed by Thomson.

A problem has been reported in SpeedTouch DSL routers when routing certain
types of traffic.  Because of this, it may be possible to deny service to
legitimate users of a vulnerable router.

The problem is in the handling of scans from some types of security
software.  Reports indicate that when security scans are initiated from
software such as Nessus and NMAP and routed across the router to a remote
system, the router becomes unstable.  This problem has been reported to
reproduce a reliable crash, resulting in a denial of service to network
users.

This problem is currently known to affect the 510 model, though other
models may also be affected.

[ hardware ]

HP ProCurve Switch Denial of Service Vulnerability
BugTraq ID: 9103
Remote: Yes
Date Published: Nov 26 2003
Relevant URL: http://www.securityfocus.com/bid/9103
Summary:
A denial of service vulnerability has been reported to exist in the HP
ProCurve Switches.  The problem is reported to occur in the presence of
RPC worms such as W32.Welchia.Worm (MCID 1811) and W32.Blaster.Worm (MCID
1761).

Reports have indicated that the vulnerable switches react in an unstable
manner in the presence of certain RPC worms.  This issue results in
deteriorated network traffic leading to a denial of service condition for
network users.  This problem is reported to affect systems running
Microsoft Windows operating systems.

This vulnerability may cause the software to crash therefore denying
service to legitimate users.

[ hardware ]

Mozilla Chatzilla IRC URI Handler Memory Corruption Vulnerab...
BugTraq ID: 9104
Remote: Yes
Date Published: Nov 26 2003
Relevant URL: http://www.securityfocus.com/bid/9104
Summary:
Mozilla web browser includes support for various chat protocols such as
IRC via the Chatzilla component.

The Mozilla Chatzilla IRC URI handler is prone to a memory corruption
vulnerability when handling URIs of excessive length.  This condition can
reportedly be triggered if the client visits an irc: URI that is
approximately 40K in length.  This will cause the browser to crash with an
access violation error in js3250.dll.  Though unconfirmed, this issue
could theoretically be exploited to execute arbitrary code if an attacker
can corrupt specific regions of memory and control execution flow of the
program.

This issue was reported for Mozilla on Windows platforms.  It is not known
if other versions are similarly affected.

This issue may be related to BID 4637.

ISC BIND Negative Cache Poison Denial Of Service Vulnerabili...
BugTraq ID: 9114
Remote: Yes
Date Published: Nov 26 2003
Relevant URL: http://www.securityfocus.com/bid/9114
Summary:
ISC BIND is a server program that implements the domain name service
protocol. It is widely used on the Internet.

BIND has been reported prone to a DNS cache poisoning vulnerability; this
issue is due to negative answers being cached from an incorrect source. A
remote attacker who has control of a DNS server capable of serving
authoritative negative responses may exploit this issue. Ultimately if the
vulnerable BIND DNS server queries the malicious attacker-controlled name
server, authoritative negative responses that should not be accepted will
poison the cache of the vulnerable BIND server. This will result in the
inability of resolver procedures to resolve the domains specified in the
negative records. It has been reported that this denial of service effect
will last until the bad DNS record expires from the DNS cache. An attacker
may ensure that a high TTL value is used, so that the malicious record
remains in the target DNS server cache for as long as possible.

The vendor has stated the fixes were added to affected versions as
anti-cache poisoning measures to negative answers.

A remote attacker may exploit this vulnerability to deny service to
affected servers for legitimate users. There may also be other
consequences associated with this vulnerability, though this has not been
confirmed.

This BID will be updated when further explicit information relating to
this vulnerability is made public.

GnuPG ElGamal Signing Key Private Key Compromise Vulnerabili...
BugTraq ID: 9115
Remote: Yes
Date Published: Nov 27 2003
Relevant URL: http://www.securityfocus.com/bid/9115
Summary:
GnuPG includes optional support for use of the ElGamal algorithm to
signing and encryption.  This will allow users to generate public/private
key sets which may be used to sign content using ElGamal.

A vulnerability has been reported in how ElGamal signing keys are
implemented that could compromise private keys.  The vendor has stated
that this vulnerability could be practically exploited to compromise
private keys in seconds.  Compromised private keys may then be used to
sign content, which will appear authentic and may be trusted based on this
appearance.  If content is encrypted using ElGamal sign+encrypt keys, it
could also be at risk, though this has not been confirmed.

This vulnerability was introduced as of version 1.0.2 of GnuPG.  It should
also be noted that this issue does not affect any other key types or
ElGamal keys that are used for encryption only.

Further technical information is not available at this point, though the
vendor advises against the future use of ElGamal signing keys and has
provided a patch which removes support for the keys.

GNU Screen Escape Sequence Buffer Overrun Vulnerability
BugTraq ID: 9117
Remote: Yes
Date Published: Nov 27 2003
Relevant URL: http://www.securityfocus.com/bid/9117
Summary:
GNU Screen is prone to a buffer overrun vulnerability that may be
triggered by including 2-gigabytes or more of semi-colons (;) in an escape
sequence.

The source of the problem is that the w_NumArgs variable (in the ansi.c
source file) is declared as a signed integer.  A check is done on the
value of the variable to determine if it is less than the MAXARGS
variable.  If enough input is supplied to cause this value to wrap around
to a negative number, the size check will succeed when it technically
should have failed.  There may be other operations which occur afterwards
where this check also succeeds and causes memory to be corrupted with
attacker-controlled data.  Exploitation may potentially allow for
execution of arbitrary code or result in a denial of service.

This issue could be exploited locally to gain elevated privileges or in
some cases remote exploitation may also be possible (though unlikely due
to the amount of data required) since escape sequences could originate
from a remote network session using SSH, telnet or another network client.
Screen is usually installed with setgid utmp or setuid root permissions.

Traceroute Detection Security Tool Remote Format String Vuln...
BugTraq ID: 9119
Remote: Yes
Date Published: Nov 27 2003
Relevant URL: http://www.securityfocus.com/bid/9119
Summary:
In issue 51 of Phrack magazine, the detecttr.c utility was released by
Baldor for detecting attempted traceroutes against a specific machine. The
tool is now available from a variety of Unix security resource websites,
and other locations.

Snosoft has reported that the detecttr.c utility is prone to a remote
format string vulnerability. The problem occurs due to erroneous use of
the syslog() function. Specifically, the author failed to include format
specifiers when logging potentially malicious hostnames. As a result, an
attacker may be capable of constructing a malicious hostname containing
embedded format specifiers which may be interpreted by the function when
an attempt is made to log the information.

Successful exploitation of this vulnerability could potentially lead to
the execution of arbitrary code with the privileges of the user who
invoked the detecttr.c tool.

Bitfolge Snif Downloads Directory Traversal Vulnerability
BugTraq ID: 9121
Remote: Yes
Date Published: Nov 27 2003
Relevant URL: http://www.securityfocus.com/bid/9121
Summary:
Bitfolge snif is a script designed to generate web server directory
indices.

snif has been reported prone to a directory traversal issue. The issue is
likely due to a lack of sufficient sanitization performed on 'download'
URI parameters passed to the snif script. It has been reported that by
passing directory traversal sequences '../..' as a value for the
'download' URI parameter an attacker may break out of the web root and may
download web server readable files.

An attacker may use information harvested in this manner to aid in further
attacks launched against the target system.

This vulnerability has been reported to affect sniff 1.2.5 and prior
versions.